b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nQuick Reaction Report\n\n\n\n\n       Results of Technical Network\n       Vulnerability Assessment:\n       EPA\xe2\x80\x99s Ronald Reagan Building\n       Report No. 10-P-0212\n\n       September 7, 2010\n\x0cReport Contributors:   Rudolph M. Brevard\n                       Charles Dade\n                       Cheryl Reid\n                       Michael Goode, Jr.\n                       Vincent Campbell\n\x0c                       U.S. Environmental Protection Agency \t                                              10-P-0212\n                                                                                                    September 7, 2010\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                           Catalyst for Improving the Environment\n\n\nWhy We Did This Review           Results of Technical Network Vulnerability\nAs part of the annual audit of\n                                 Assessment: EPA\xe2\x80\x99s Ronald Reagan Building\nthe U.S. Environmental\nProtection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)       What We Found\ncompliance with the Federal\nInformation Security             Vulnerability testing of EPA\xe2\x80\x99s Ronald Reagan Building network conducted in\nManagement Act, the Office       June 2010 identified Internet Protocol addresses with numerous high-risk and\nof Inspector General (OIG)       medium-risk vulnerabilities. The OIG met with EPA information security\nconducted network                personnel to discuss the findings. If not resolved, these vulnerabilities could\nvulnerability testing of the     expose EPA\xe2\x80\x99s assets to unauthorized access and potentially harm the Agency\xe2\x80\x99s\nAgency\xe2\x80\x99s network devices in      network.\nEPA\xe2\x80\x99s Ronald Reagan\nBuilding located in               What We Recommend\nWashington, DC.\n                                 We recommend that the Director, Enterprise Desktop Solutions Division, Office\nBackground                       of Environmental Information:\nNetwork vulnerability testing    \xe2\x80\xa2\t Provide the OIG a status update for all identified high-risk and medium-risk\nwas conducted to identify any       vulnerability findings contained in this report.\nnetwork risk vulnerabilities\nand to present the results to    \xe2\x80\xa2\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated Security\nthe appropriate EPA officials,      Self-Evaluation and Remediation Tracking system for all vulnerabilities that\nwho can then promptly               cannot be corrected within 30 days of this report.\nremediate or document            \xe2\x80\xa2\t Perform a technical vulnerability assessment test of assigned network\nplanned actions to resolve the      resources within 60 days to confirm completion of remediation activities.\nvulnerability.\n                                 Due to the sensitive nature of the report\xe2\x80\x99s technical findings, the attachments are\n                                 not available to the public.\nFor further information,\ncontact our Office of\nCongressional, Public Affairs\nand Management at\n(202) 566-2391.\n\nTo view the full report,\nclick on the following link:\nwww.epa.gov/oig/reports/2010/\n20100907-10-P-0212.pdf\n\x0c                          UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                       WASHINGTON, D.C. 20460\n\n\n                                                                                              THE INSPECTOR GENERAL\n\n\n\n\n                                               September 7, 2010\n\nMEMORANDUM\n\nSUBJECT:\t                  Results of Technical Network Vulnerability Assessment:\n                           EPA\xe2\x80\x99s Ronald Reagan Building\n                           Report No. 10-P-0212\n\n\nFROM:                      Arthur A. Elkins, Jr.\n                           Inspector General\n\nTO:\t                       Johnny Davis, Jr.\n                           Director, Enterprise Desktop Solutions Division\n                           Office of Environmental Information\n\n\nAttached is the final technical network vulnerability assessment report prepared by the Office of\nInspector General (OIG) of the U.S. Environmental Protection Agency (EPA).1 The site\nassessment was conducted in conjunction with the Fiscal Year 2010 Federal Information\nSecurity Management Act audit. Vulnerability testing of EPA\xe2\x80\x99s Ronald Reagan Building\nnetwork conducted in June 2010 identified Internet Protocol addresses with numerous high-risk\nand medium-risk vulnerabilities.\n\nWe performed this audit from May through August 2010 at EPA\xe2\x80\x99s Ronald Reagan Building in\nWashington, DC. We performed this audit in accordance with generally accepted government\nauditing standards. These standards require that we plan and perform the audit to obtain\nsufficient and appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on the audit objectives. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusions.\n\nWe conducted testing to identify the existence of commonly known vulnerabilities using a\ncommercially available network vulnerability assessment tool recognized by the National\nInstitute of Standards and Technology. We tested Internet Protocol addresses provided by\nAgency representatives and identified as being associated with network resources controlled by\nyour office. We used the risk ratings provided by the vulnerability software to determine the\n\n1\n A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the\nvulnerabilities in a tested information system. A vulnerability assessment does not include a penetration test which\nwould attempt to use the identified vulnerabilities to gain further access into the tested information system.\n\n\n                                                          1\n\n\x0c                                                                                         10-P-0212 \n\n\n\nlevel of harm a vulnerability could cause to a network resource. We accepted the results from the\nsoftware tool. The vulnerabilities identified by the software are disclosed in the attachments.\n\nThe estimated cost for performing these tests and compiling this report is $7,628.\n\nRecommendations\n\nWe recommend that the Director, Enterprise Desktop Solutions Division, Office of\nEnvironmental Information:\n\n   1.\t Provide the OIG a status update for all identified high-risk and medium-risk vulnerability\n       findings contained in this report.\n\n   2.\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated Security Self-\n\n       Evaluation and Remediation Tracking system for all vulnerabilities that cannot be \n\n       corrected within 30 days of this report. \n\n\n   3.\t Perform a technical vulnerability assessment test of assigned network resources within\n       60 days to confirm completion of remediation activities.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 30 calendar days. You should include a corrective actions plan for agreed-upon\nactions, including milestone dates.\n\nDue to the sensitive nature of the report\xe2\x80\x99s technical findings, the full report will not be made\navailable to the public. However, the OIG plans to publish the unrestricted version of this report,\nyour response, and any corrective action plans on OIG\xe2\x80\x99s Website, which is available to the\npublic. Therefore, we request that you provide your response to Recommendation 1 in a separate\ndocument.\n\nIf you or your staff have any questions regarding this report, please contact Rudy Brevard at\n(202) 566-0893 or brevard.rudy@epa.gov.\n\n\n\n\n                                                2\n\n\x0c                                                                                                                                            10-P-0212\n\n\n\n                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                                  POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                                BENEFITS (in $000s)\n\n                                                                                                                      Planned\n    Rec.    Page                                                                                                     Completion   Claimed    Agreed To\n    No.      No.                          Subject                          Status1         Action Official              Date      Amount      Amount\n\n     1        2     Provide the OIG a status update for all identified       U       Director, Enterprise Desktop\n                    high-risk and medium-risk vulnerability findings                 Solutions Division, Office of\n                    contained in this report.                                         Environmental Information\n\n     2        2     Create plans of action and milestones in the             U       Director, Enterprise Desktop\n                    Agency\xe2\x80\x99s Automated Security Self-Evaluation and                  Solutions Division, Office of\n                    Remediation Tracking system for all vulnerabilities               Environmental Information\n                    that cannot be corrected within 30 days of this\n                    report.\n\n     3        2     Perform a technical vulnerability assessment test of     U       Director, Enterprise Desktop\n                    assigned network resources within 60 days to                     Solutions Division, Office of\n                    confirm completion of remediation activities.                     Environmental Information\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                 3\n\n\x0c                                                                                         10-P-0212\n\n\n                                                                                       Appendix A\n\n                                        Distribution\n\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nDirector, Enterprise Desktop Solutions Division, Office of Environmental Information\nActing Senior Agency Information Security Officer\nActing Director, Technology and Information Security Staff\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nAudit Follow-up Coordinator, Office of Environmental Information\nInspector General\n\n\n\n\n                                                 4\n\n\x0c'